py-WebOb: updated to 1.8.10
1.8.10 (2026-06-02)
Security Fix
- The fix for CVE-2024-42353 was incomplete: a Location value containing
ASCII tab, carriage return, or line feed characters between consecutive
slashes could still be interpreted as a protocol-relative URL by
``urllib.parse.urljoin`` on Python 3.10+, allowing an open redirect.
tor: updated to 0.4.9.10
Changes in version 0.4.9.10 - 2026-06-23
Another release with an important security fix and major bugfixes. We
strongly recommend upgrading as soon as possible.
o Major bugfixes (conflux, security, TROVE):
- Reject a CONFLUX_LINK cell that arrives on a circuit which already
has attached streams. A malicious client could send a
RELAY_COMMAND_BEGIN before the CONFLUX_LINK on the same circuit,
attaching an exit stream that would later end up orphan leaving a
dangling circuit back-pointer and a use-after-free (UAF) when the
circuit is freed. TROVE-2026-025. Fixes bug 41258; bugfix
on 0.4.8.1-alpha.
o Major bugfixes (client):
- Resume warning about unsafe socks protocols (socks4 or
socks5-not-hostname) when SafeSocks is not set. Also resume
warning every time when TestSocks is set. Fixes bug 41290; bugfix
[37 lines not shown]
misc/py-libtmux: Update to 0.58.1
## libtmux 0.58.1 (2026-06-16)
libtmux 0.58.1 restores compatibility with pytest 9.1. The bundled
pytest plugin no longer aborts at import time, so projects that rely on
libtmux's fixtures can move to the latest pytest without their test
suite failing before collection.
## libtmux 0.58.0 (2026-05-23)
libtmux 0.58.0 fixes subprocess output decoding on non-UTF-8 locales.
Both {class}`~libtmux.common.tmux_cmd` and
{class}`~libtmux._internal.control_mode.ControlMode` now enforce UTF-8
when reading tmux output, matching tmux's own encoding contract.
## libtmux 0.57.1 (2026-05-18)
Restores the "lenient-by-default" behavior for
[68 lines not shown]
Pull up the following revisions, requested by martin in ticket #324:
usr.sbin/sysinst/util.c 1.82,1.83
PR 60354: move the test and new message about optional sets missing
into the correct place so it only shows the message when we really
can not find the set.
This only applies to local files.
libtorrent rtorrent: updated to 0.16.15
0.16.15
Cleanup of old unused/unneeded code and commands continues, and the deprecated commands should no longer be used.
libass: updated to 0.17.5
libass (0.17.5)
* Fix limited OOB read and write in wrap_lines_measure (GHSA-pjjp-65r7-ppgm; CVE pending)
* Fix OOB bit clears for negative Matroska ReadOrder fields (GHSA-5gf7-wjfm-vmvm; CVE pending)
* Fix \fay with glyph clusters
* Fix small alpha changes not always splitting runs when combined with fade
* Fix compilation with MSVC-mode clang
* Fades are now applied to BorderStyle=4 boxes too
* Fonts using legacy arabic Windows charmaps are now supported
* ass_render_frame no longer returns fully transparent images
* Avoid MSVC’s subpar code generation for isnan to bring performance closer to other compilers
* Avoid SSE instructions if compiler baseline already includes AVX
PR 60354: fix a stupid mistake in the previous change:
move the test and new message about optional sets missing into the
correct place so it only shows the message when we really can not
find the set.
ppp(4): Use 32-bit timeouts, not 64-bit timeouts.
The timeouts are checked every 15sec so there is no real need to
record starting and ending times in units of seconds with more than 5
bits of precision. So 32-bit starting and ending times are more than
enough. And there is surely no need for decades-long timeouts.
1. Clamp the timeouts in SPPPSETIDLETO(struct spppidletimeout) and
SPPPSETKEEPALIVE(struct spppkeepalivesettings) to INT32_MAX/2,
which is over 34 years worth of seconds.
(We should never have spent any effort on time_t compat for these:
we should have just left them at 32-bit! Oh well.)
2. Use time_uptime32, not time_uptime, since 32-bit unsigned
arithmetic is large enough to handle all the differences we will
encounter when timeouts are clamped to INT32_MAX/2 without any
risk of trouble from wraparound.
PR kern/60364: if_spppsubr.c uses nonportable 64-bit atomics
bfs: update to 4.1.3. Changes:
## Bug fixes
- Fixed a segfault when binaries built on macOS 26.4+ were run on older macOS
versions (#229)
- Fixed a potential hang in the test suite
- Fixed `./configure`-time detection of `sysctlbyname()` on FreeBSD (#219)
- Bumped the default version number, which was missed in 4.1.1
- Fixed `./configure CFLAGS=...` being overridden by auto-detected flags
- Fixed the build for WASIX
- Fixed the build on Android < 11 (#215)
- `bfs` now takes system-wide open file limits into account.
Previously, a handful of concurrent `bfs` instances could overwhelm a system
with a low global limit, particularly macOS.
- Fixed an invalid optimization that transformed
$ bfs -user you -or -user me
[350 lines not shown]
nodejs22: updated to 22.23.1
22.23.1 'Jod' (LTS)
This release includes a fix for an unexpected behavior introduced
by the recent security release (22.23.0).
amule: updated to 3.0.0
3.0.0
Highlights
Throughput rewrite. Disk I/O moved off the main thread, ASIO/EPOLLET races fixed, throttlers replaced with proper token-bucket limiters. Peer-to-peer download on the same hardware sees ~100–380× speedups across macOS / Linux / Windows over 2.3.3, plus aMule 3.0.0 sustains ~4.8× the upload throughput of eMule 0.70b on Windows. See Performance for the full matrix and per-PR breakdown.
Both throttlers (MaxUpload, MaxDownload) were also broken pre-fix — MaxUpload=0 capped at "current rate + 5 KB/s", MaxDownload was a ratio controller rather than a literal cap. Both rewritten. Important user-facing bug fixes, but secondary to the headline numbers.
Big-library / big-shareset scaling. Follow-up wave targeting nodes with 100 k+ shared files: per-file EC payload caches, skip-unchanged EC updates, local-peer ZLIB bypass, and a string of O(N²) → O(N log N) / O(1) algorithmic fixes across SharedFileList, SharedFilesCtrl, KnownFileList, wxListCtrl, ExternalConn, and amuleweb — the WebUI / amulegui stay responsive even on libraries where the previous GUI took minutes to redraw.
CMake replaces autotools. Single build system, modern toolchain — minimum CMake 3.10, minimum wxWidgets 3.2.0.
Native binaries for every major desktop. AppImage (x86_64 + aarch64), Flatpak (x86_64 + aarch64), macOS Universal2 .dmg (now bundling aMuleGUI.app alongside aMule.app), Windows portable .zip and NSIS installer (x64 + ARM64). First-run desktop integration prompt for AppImage; cross-platform autostart-on-login toggle.
Auto-rescan of shared folders. wxFileSystemWatcher-driven, with recursive vs explicit-share intent split and coverage of Incoming + per-category Incoming dirs.
HTTPS works again. CHTTPDownloadThread rewritten on top of wxWebRequest; the hand-rolled stack had silently stopped working against modern TLS.
Kad parallel searches with alpha-frontier widening.
MaxMindDB replaces deprecated GeoIP for IP→country.
graphics/geeqie: Update to 2.8
pkgsrc changes:
drop patch that is now upstream
Upstream NEWS:
Geeqie 2.8
============
- Extensive bug fixes and code improvements
- More progress in GTK4 migration
geography/py-gnssutils: Update to 1.2.5
Upstream NEWS:
## What's Changed
1. Further enhancements and bug fixes to RINEX conversion routines.
1. Add support for SBAS L1CA, QZSS LNAV/CNAV, IRNSS (NAVIC) LNAV.
**NB:** Rinex Conversion remains an experimental Alpha feature and contributions (including wider area testing and bug reports) and feedback are welcomed.
